Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Gleam is a marketing app suite (Competitions, Rewards, Galleries, Capture) embedded as a JavaScript widget on a publisher site. It collects participant entries, connects to social networks (Facebook, Twitter, Instagram, TikTok) to verify actions, and stores the data on Gleam.io servers in Australia. As a third party widget loading social plugins, it requires prior consent under the GDPR and the ePrivacy Directive.
Gleam.io is an Australian SaaS that powers giveaways, competitions, sweepstakes, rewards programmes and user generated galleries. Its widgets are embedded as a JavaScript snippet on the publisher site and orchestrate the entry workflow, verifying actions via integrations with Facebook, Twitter, Instagram, TikTok, YouTube, Discord and dozens of other platforms. Gleam is widely used by ecommerce, gaming and media publishers in Europe.
The Gleam widget sets first party cookies (gleam_session, gleam_anon_id) to deduplicate entries and remember the participant''s state inside a campaign. When a user connects a social account, Gleam stores the OAuth token and a hashed user ID on its servers. Embedded social plugins can in turn drop their own third party cookies.
Loading the gleam.js widget triggers cookie storage and the loading of third party social plugins, which both fall under Article 5(3) ePrivacy and require prior consent. The processing of participant data, social IDs and email addresses for promotional purposes additionally requires a clear legal basis under the GDPR, typically consent or contract performance for the giveaway terms.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Block the Gleam widget through your CMP until the visitor accepts the marketing category. Use the click to consent pattern for social plugins inside the widget so that no Facebook, Twitter or Instagram cookie is dropped before the user explicitly chooses to connect. Document the giveaway terms and the data retention separately for participants who win and those who do not.
Gleam.io Pty Ltd is established in Melbourne, Australia, and runs infrastructure in Australia, the United States and Cloudflare edges worldwide. The EU Commission has not adopted an adequacy decision for Australia, so the transfer must rely on Standard Contractual Clauses with supplementary measures, plus an EU U.S. Data Privacy Framework certification for any US subprocessor.
Gate the widget on a CMP signal, sign the Gleam Data Processing Addendum, document Gleam.io Pty Ltd in your records of processing as a processor in Australia, define a retention policy for entries and OAuth tokens, and provide entrants with a clear privacy notice for the giveaway.
Websites using Gleam must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should be considered when Gleam campaigns process large volumes of personal data, when special categories are collected (preferences, location), or when integrations send data to social platforms with their own targeting beyond verification.
Sample consent text
We use Gleam.io to run giveaways and competitions on this site. With your consent, Gleam will set cookies on your device, load social plugins (Facebook, Twitter, Instagram) and transfer your entry data to Gleam.io Pty Ltd in Australia. You can refuse or withdraw your consent at any time from the cookie settings.
Third-party domains contacted
gleam.ioassets.gleam.iowidget.gleam.iocdn.gleam.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| gleam_session | first_party | session | Stores the participant's session state inside a Gleam campaign and enables anti fraud checks during the entry workflow. |
| gleam_anon_id | first_party | 6 months | Anonymous identifier used by Gleam to deduplicate entries and recognise returning participants across sessions. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on gleam.io to mitigate automated traffic and protect the giveaway from cheating. |
Gleam places tracking cookies for advertising — comply with GDPR using FlowConsent.
The Gleam widget sets first party cookies (gleam_session, gleam_anon_id) to deduplicate entries and remember the participant's state. Connecting a social account causes Gleam and the social plugin to drop additional third party cookies.
Yes. The widget loads third party JavaScript and writes cookies that are not strictly necessary, so prior consent is required under Article 5(3) of the ePrivacy Directive. The processing of participant data also requires a clear GDPR legal basis.
For voluntary actions like email submissions, consent is the appropriate basis. For mandatory entry conditions (filling in a participant form), contract performance for the giveaway terms can apply, but cookie storage still needs consent.
Yes. Gleam.io Pty Ltd is based in Australia and uses US sub processors. Australia is not covered by an EU adequacy decision, so the transfer relies on Standard Contractual Clauses with supplementary measures.
A DPIA is recommended when Gleam is used to collect large volumes of personal data, when sensitive categories are processed, or when the data is shared with third party platforms beyond mere verification.
Block the widget through your CMP until consent, use click to consent for social plugins, sign the Gleam DPA, define a retention policy for entries and OAuth tokens, and publish a clear giveaway privacy notice.
EU hosted alternatives include Drimify, Qualifio (Belgium) or Easypromos (Spain), all of which offer giveaway and contest mechanics with EU data residency.
Add a section that names Gleam.io, lists the cookies (gleam_session, gleam_anon_id) with purpose and duration, mentions the embedded social plugins (Facebook, Twitter, Instagram, etc.) and discloses the transfer to Gleam.io Pty Ltd in Australia.